Rootkit - Physicaldrive0\Partition 4 Found

[mkphillips4]

Avast found a rootkit virus but it doens't delete.  How do you eliminate this threat?

[magna86]

Hi,

Please read this guide:
http://forum.avast.com/index.php?topic=53253.0

Run this diagnostic tool from guide and attach here reports from thouse tools.
someone will notify essexboy to review logs.

[mkphillips4]

Thank you for the quick response.  Here is the data:

MBAM Scan -

Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.02.14.06

Windows 7 x64 NTFS
Internet Explorer 8.0.7600.16385
Mike :: MIKE-PC [administrator]

2/14/2012 8:49:23 PM
mbam-log-2012-02-14 (20-49-23).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 180340
Time elapsed: 3 minute(s), 32 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
 

[akama1]

you may like to try aswmbr and GMER they can remove it

[DavidR]

Please stay out of malware removal topics until you are qualified to assist. Magna86 has already started the ball rolling and he or essexboy will follow it up.

[essexboy]

Could you run aswMBR please as that will show me the problem area

[mkphillips4]

Log is attached:


aswMBR version 0.9.9.1532 Copyright(c) 2011 AVAST Software
Run date: 2012-02-18 07:55:33
-----------------------------
07:55:33.139    OS Version: Windows x64 6.1.7600
07:55:33.139    Number of processors: 2 586 0x602
07:55:33.139    ComputerName: MIKE-PC  UserName: Mike
07:55:46.461    Initialize success
07:55:46.695    AVAST engine defs: 12021800
07:55:50.065    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\0000005c
07:55:50.065    Disk 0 Vendor: Hitachi_ PB4O Size: 476940MB BusType: 11
07:55:50.096    Disk 0 MBR read successfully
07:55:50.096    Disk 0 MBR scan
07:55:50.112    Disk 0 Windows 7 default MBR code
07:55:50.112    Disk 0 Partition 1 00     27 Hidden NTFS WinRE NTFS        12000 MB offset 2048
07:55:50.143    Disk 0 Partition 2 80 (A) 07    HPFS/NTFS NTFS          100 MB offset 24578048
07:55:50.159    Disk 0 Partition 3 00     07    HPFS/NTFS NTFS       464838 MB offset 24782848
07:55:50.190    Disk 0 Partition 4 00     17 Hidd HPFS/NTFS NTFS            1 MB offset 976771072
07:55:50.205    Disk 0 Partition 4  **INFECTED** MBR:Alureon-K [Rtk]
07:55:50.221    Service scanning
07:55:52.951    Modules scanning
07:55:52.951    Disk 0 trace - called modules:
07:55:52.998    ntoskrnl.exe CLASSPNP.SYS disk.sys amdxata.sys ACPI.sys storport.sys hal.dll amdsata.sys
07:55:53.013    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004a74760]
07:55:53.013    3 CLASSPNP.SYS[fffff8800191843f] -> nt!IofCallDriver -> [0xfffffa80045cf7f0]
07:55:53.029    5 amdxata.sys[fffff880010758b9] -> nt!IofCallDriver -> [0xfffffa80045cf2d0]
07:55:53.045    7 ACPI.sys[fffff88000eca781] -> nt!IofCallDriver -> \Device\0000005c[0xfffffa80045cb350]
07:55:54.371    AVAST engine scan C:\Windows
07:55:59.285    AVAST engine scan C:\Windows\system32
08:01:27.447    AVAST engine scan C:\Windows\system32\drivers
08:01:54.747    AVAST engine scan C:\Users\Mike
08:05:56.142    AVAST engine scan C:\ProgramData
08:06:40.898    Scan finished successfully
08:08:26.370    Disk 0 MBR has been saved successfully to "C:\Users\Mike\Desktop\MBR.dat"
08:08:26.385    The log file has been saved successfully to "C:\Users\Mike\Desktop\aswMBR.txt"

[essexboy]

OK it seems as though Avast is stopping the malware from being active (which is good) but is unable to remove it automatically

Go Start > Run
Type in compmgmt.msc
Select Storage
Select Disc Management
Locate the 1 Mb partion (4)
Right click and select delete
Rerun aswMBR and post the log please

[mkphillips4]

I'm a little lost right now.  I've gotten to the screen you show in the your last post but I don't know what or where to go from there.  I can't figure out how to navigate on that screen.

[essexboy]

You need to locate the fourth partiton on the far right, it will be small, just 1 Mb
Right click that from the disc management   screen
Select delete

[mkphillips4]

Thank you.  The light bulb finally went off.  Here's the new scan:

aswMBR version 0.9.9.1532 Copyright(c) 2011 AVAST Software
Run date: 2012-02-19 08:21:55
-----------------------------
08:21:55.152    OS Version: Windows x64 6.1.7600
08:21:55.152    Number of processors: 2 586 0x602
08:21:55.152    ComputerName: MIKE-PC  UserName: Mike
08:21:57.648    Initialize success
08:21:57.710    AVAST engine defs: 12021900
08:22:00.066    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\0000005c
08:22:00.066    Disk 0 Vendor: Hitachi_ PB4O Size: 476940MB BusType: 11
08:22:00.097    Disk 0 MBR read successfully
08:22:00.097    Disk 0 MBR scan
08:22:00.113    Disk 0 Windows 7 default MBR code
08:22:00.128    Disk 0 Partition 1 00     27 Hidden NTFS WinRE NTFS        12000 MB offset 2048
08:22:00.144    Disk 0 Partition 2 80 (A) 07    HPFS/NTFS NTFS          100 MB offset 24578048
08:22:00.144    Disk 0 Partition 3 00     07    HPFS/NTFS NTFS       464838 MB offset 24782848
08:22:00.159    Service scanning
08:22:01.875    Modules scanning
08:22:01.875    Disk 0 trace - called modules:
08:22:01.907    ntoskrnl.exe CLASSPNP.SYS disk.sys amdxata.sys ACPI.sys storport.sys hal.dll amdsata.sys
08:22:01.922    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004a64420]
08:22:01.938    3 CLASSPNP.SYS[fffff880019a043f] -> nt!IofCallDriver -> [0xfffffa80049a9040]
08:22:01.953    5 amdxata.sys[fffff880010828b9] -> nt!IofCallDriver -> [0xfffffa80049a8d30]
08:22:01.953    7 ACPI.sys[fffff88000f93781] -> nt!IofCallDriver -> \Device\0000005c[0xfffffa80049a5060]
08:22:03.404    AVAST engine scan C:\Windows
08:22:07.725    AVAST engine scan C:\Windows\system32
08:25:03.429    AVAST engine scan C:\Windows\system32\drivers
08:25:12.929    AVAST engine scan C:\Users\Mike
08:29:59.876    AVAST engine scan C:\ProgramData
08:30:44.289    Scan finished successfully
08:31:36.128    Disk 0 MBR has been saved successfully to "C:\Users\Mike\Desktop\MBR.dat"
08:31:36.128    The log file has been saved successfully to "C:\Users\Mike\Desktop\aswMBR.txt"

[essexboy]

How is the computer behaving now ?